On Mon, Mar 18, 2002 at 09:33:43AM -0700, Barb Binder wrote:
> We were able to successfully load ethereal and it saw packets, but when
> we stopped it, it would hang loading the file (didn't matter if we saved
> the output to a file or did it in real time).
That's probably not a "hang" in the sense of it *never* finishing, it's
probably just a really long delay, due to name resolution being enabled.
I.e., Ethereal tries to find the names corresponding to IP addresses;
this can sometimes be a slow process.
For one thing, a DNS server (or NIS server, or whatever servers your OS
uses to do IP-address-to-name translation; Ethereal just uses the OS's
routines to do that) might be down, meaning that the OS's routine to do
the translation may block until it times out.
For another thing, on Windows, the OS will also try to resolve the IP
address using NetBIOS-over-TCP if there's no entry for it in DNS.
Resolving the IP address of a machine using NetBIOS-over-TCP involves
sending a particular type of NetBIOS-over-TCP packet to that IP address
and waiting for a response (well, that particular type of packet is
typically NetBIOS-over-UDP, but "NetBIOS-over-TCP" is really just
shorthand for "NetBIOS-over-TCP-and-UDP"). If the machine isn't
*running* NetBIOS-over-TCP, no reply will be sent, so, again, a timeout
is required. (Actually, Windows *might* be able to catch an ICMP Port
Unreachable message, if one is sent back and it reaches the machine
trying to do the IP-address-to-name lookup, and treat *that* as an
indication that the machine isn't running NetBIOS-over-TCP, but I guess
they don't do that).